syslog failed login message not sent

Answered Question
Sep 17th, 2009
User Badges:

Hi all


I'd need to generate a syslog message after any failed ssh login atempt on my router.


Even when I read all related documentation I couldn't find a way how to get it up and running. I can get successful login syslog message, but not unsuccessful.


My relevant router config is as follows:


logging trap notifications

logging source-interface FastEthernet0/0

logging 10.24.50.91

login on-failure log

login on-success log

Router#

Sep 17 16:35:09 BST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: slizd] [Source: 19X.12X.20X.5X] [localport: 22] at 16:35:09 BST Thu Sep 17 2009

Router#


Any thoughts will be appreciated.

Thanks in advance

Draz

Correct Answer by cisco24x7 about 7 years 8 months ago

You need the following commands in the configuration:


login block-for 60 attempts 3 within 60

login delay 1

login on-failure log every 3

login on-success log


You will see these message in the syslog server:


Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009


Easy right?





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cisco24x7 Fri, 09/18/2009 - 02:55
User Badges:
  • Silver, 250 points or more

You need the following commands in the configuration:


login block-for 60 attempts 3 within 60

login delay 1

login on-failure log every 3

login on-success log


You will see these message in the syslog server:


Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009


Easy right?





dsliz Fri, 09/18/2009 - 04:08
User Badges:

Thank for your help.


It works now. I'm just wondering why the command


login block-for


must be configured to get failed login syslog messages. I got success messages even without it...


But anyhow, your help and advice is much appreciated. Thanks

Draz

Actions

This Discussion